Managing virtual computing testing

ABSTRACT

Systems, methods, and interfaces for the management of virtual machine instances and other programmatically controlled networks are provided. The hosted virtual networks are configured in a manner such that a virtual machine manager of the virtual network may monitor activity such as user requests, network traffic, and the status and execution of various virtual machine instances to determine possible security assessments. Aspects of the virtual network may be assessed for vulnerabilities at varying levels of granularity and sophistication when a suspicious event or triggering activity is detected. Illustrative embodiments of the systems and methods may be implemented on a virtual network overlaid on one or more intermediate physical networks that are used as a substrate network.

This application is a continuation of U.S. patent application Ser. No.12/981,322, entitled MANAGING VIRTUAL COMPUTING TESTING, and filed Dec.29, 2010, the entirety of which is incorporated herein by reference.

BACKGROUND

Generally described, computing devices utilize a communication network,or a series of communication networks, to exchange data. Companies andorganizations operate computer networks that interconnect a number ofcomputing devices to support operations or provide services to thirdparties. The computing systems can be located in a single geographiclocation or located in multiple, distinct geographic locations (e.g.,interconnected via private or public communication networks).Specifically, data centers or data processing centers, herein generallyreferred to as a “data center,” may include a number of interconnectedcomputing systems to provide computing resources to users of the datacenter. The data centers may be private data centers operated on behalfof an organization or public data centers operated on behalf, or for thebenefit of, the general public.

To facilitate increased utilization of data center resources,virtualization technologies may allow a single physical computing deviceto host one or more instances of virtual machines that appear andoperate as independent computing devices to users of a data center. Withvirtualization, a single physical computing device can create, maintain,delete, or otherwise manage virtual machines in a dynamic matter. In thesimplest embodiment, users can request single computing device computerresources from a data center. In more complex embodiments, users, suchas system administrators, can request the configuration of virtualmachine instances corresponding to a desired set of networked computingdevices. In such embodiments, the data center can implement varyingnumber of virtual machine instances to implement the functionality andconfiguration of the requested physical computing device network.

One advantage of virtualization technology is that it allows forvisibility into the status and configuration of the hosted virtualmachine network. Modern networks are often distributed systems, lackinga single management entity with the ability to directly monitor networkdevices and traffic. This lack of central oversight can lead not only tothe waste of network resources through overbroad vulnerability scanningand compliance measures, but can cause potentially problematic networkevents and changes in configuration to go unnoticed. In contrast, avirtual machine network can provide visibility into the operation andstatus of the virtual network. This increased transparency can lead togreater opportunities for network management, particularly in the areaof network security.

BRIEF DESCRIPTION OF THE DRAWINGS

The foregoing aspects and many of the attendant advantages of thisdisclosure will become more readily appreciated as the same becomebetter understood by reference to the following detailed description,when taken in conjunction with the accompanying drawings, wherein:

FIG. 1 is a block diagram illustrating an embodiment of a substratenetwork having computing nodes associated with a virtual computernetwork;

FIG. 2 is a block diagram of the substrate network of FIG. 1illustrating logical networking functionality;

FIG. 3 is a block diagram of the substrate network of FIG. 1illustrating a substrate network configuration associated with overlaynetworks;

FIGS. 4A and 4B are block diagrams of the substrate network of FIG. 1illustrating independently determined substrate routing;

FIGS. 5A and 5B are block diagrams of the substrate network of FIG. 1illustrating virtual route selection propagation to the substratenetwork;

FIG. 6 is a block diagram of the substrate network of FIG. 1illustrating the determination of routes into or out of a virtualnetwork by network translation device;

FIG. 7A illustrates a flow diagram for a process of propagating virtualroutes to a substrate network;

FIG. 7B illustrates a flow-diagram for a process of determiningsubstrate routing based on target performance characteristics of theassociated virtual network;

FIG. 8 is a simplified block diagram of the substrate network of FIG. 1illustrating hosted virtual machine networks;

FIG. 9 is a simplified block diagram of the substrate network of FIG. 1illustrating hosted virtual machine networks;

FIG. 10 is a block diagram of the simplified substrate network of FIG. 9illustrating hosted virtual machine networks configuring virtual machinenetwork security assessments;

FIGS. 11A and 11B are block diagrams of the simplified substrate networkof FIG. 9 illustrating hosted virtual machine networks performingvirtual machine network security assessments;

FIG. 12 is a flow-diagram illustrative of a virtual machine networksecurity assessment configuration routine implemented by a virtualmachine network manager;

FIG. 13 is a flow-diagram illustrative of a virtual machine networksecurity assessment routine implemented by a virtual machine networkmanager; and

FIG. 14 illustrates an exemplary user interface that may be used todefine an assessment configuration.

DETAILED DESCRIPTION

Generally described, aspects of the present disclosure relate to themanagement of virtual machine instances and other programmaticallycontrolled networks. Specifically, embodiments of network datatransmission analysis systems and methods are disclosed for managingsecurity assessments of hosted virtual machine networks. Illustrativeembodiments of the systems and methods may be implemented on a virtualnetwork overlaid on one or more intermediate physical networks that areused as a substrate network. The hosted virtual machine networks areconfigured in a manner such that a virtual machine manager component maymonitor activity such as user requests, network traffic, and the statusand execution of various virtual machine instances to determine possiblesecurity assessments, such as vulnerabilities. The virtual machinemanager component may determine a variety of assessment events on thebasis of these user requests and virtual machine network activities.When an assessment event or triggering activity is detected, aspects ofthe virtual network may be assessed or scanned for vulnerabilities atvarying levels of granularity and sophistication.

In one embodiment of the invention, a security assessment may beperformed subsequent or simultaneous to a virtual machine instanceexecution in order to determine whether the execution has introduced orcontributed to system vulnerabilities. In another embodiment of theinvention, the virtual machine manager may delay execution of anactivity or request for execution until after a security assessment isperformed. In still another embodiment of the invention, the virtualmachine manager may instantiate and cause the performance of a securityassessment on a new set of virtual machine instances with a similarconfiguration to existing virtual machine instances in order to avoiddisrupting the operation of a virtual network. Additionally, undervarious embodiments of the invention the virtual machine manager may beconfigured to prevent, delay, or reverse the execution of a virtualmachine network activity or request for execution pending the results ofa security assessment.

The following section discusses various embodiments of illustrativemanaged networks for network data transmission analysis. Following thatis further discussion of network analysis systems and methods that canconfigure and implement virtual network security assessments.Accordingly, the description of the managed networks for network datatransmission is included for purposes of illustrative embodiments andexamples and should not be construed as limiting.

Managed Computer Networks for Network Data Transmission Analysis

With the advent of virtualization technologies, networks and routing forthose networks can now be simulated using commodity hardware components.For example, virtualization technologies can be adapted to allow asingle physical computing machine to be shared among multiple virtualnetworks by hosting one or more virtual machines on the single physicalcomputing machine. Each such virtual machine can be a softwaresimulation acting as a distinct logical computing system that providesusers with the illusion that they are the sole operators andadministrators of a given hardware computing resource. In addition, asrouting can be accomplished through software, additional routingflexibility can be provided to the virtual network in comparison withtraditional routing. As a result, in some implementations, supplementalinformation other than packet information can be used to determinenetwork routing.

Aspects of the present disclosure will be described with regard toillustrative logical networking functionality for managed computernetworks, such as for virtual computer networks that are provided onbehalf of users or other entities. In at least some embodiments, thetechniques enable a user to configure or specify a network topology,routing costs, routing paths, and/or other information for a virtual oroverlay computer network including logical networking devices that areeach associated with a specified group of multiple physical computingnodes. For example, a user (e.g., a network administrator for anorganization) or service provider may configure a virtual or overlaynetwork based on detected events, processing criteria, or upon request.With the network configuration specified for a virtual computer network,the functionally and operation of the virtual network can be simulatedon physical computing nodes operating virtualization technologies. Insome embodiments, multiple users or entities (e.g. businesses or otherorganizations) can access the system as tenants of the system, eachhaving their own virtual network in the system. In one embodiment, auser's access and/or network traffic is transparent to other users. Forexample, even though physical components of a network may be shared, auser of a virtual network may not see another user's network traffic onanother virtual network if monitoring traffic on the virtual network.

By way of overview, FIGS. 1 and 2 relate to embodiments wherecommunications between multiple computing nodes of the virtual computernetwork emulate functionality that would be provided by logicalnetworking devices if they were physically present. In some embodiments,some or all of the emulation are performed by an overlay network managersystem. FIGS. 2-4B and 7B relate to embodiments where substrate routingdecisions can be made independently of any simulated routing in theoverlay network, allowing, for example, optimization of traffic on thesubstrate network based on information unavailable to a virtual networkuser. FIGS. 5A-7A relate to embodiments where routing decisionsimplemented on the virtual or overlay network are propagated to thesubstrate network. As previously discussed, one skilled in the relevantart will appreciate, however, that the disclosed virtual computernetwork is illustrative in nature and should not be construed aslimiting.

Overlay Network Manager

FIG. 1 is a network diagram illustrating an embodiment of an overlaynetwork manager system (ONM) for managing computing nodes associatedwith a virtual computer network. Virtual network communications can beoverlaid on one or more intermediate physical networks in a mannertransparent to the computing nodes. In this example, the ONM systemincludes a system manager module 110 and multiple communication managermodules 109 a, 109 b, 109 c, 109 d, 150 to facilitate the configuringand managing communications on the virtual computer network.

The illustrated example includes an example data center 100 withmultiple physical computing systems operated on behalf of the ONMsystem. The example data center 100 is connected to a global internet135, or general communication network, external to the data center 100.The global internet 135 can provide access to one or more computingsystems 145 a via private network 140, to one or more other globallyaccessible data centers 160 that each have multiple computing systems,and to one or more other computing systems 145 b. The global internet135 can be a publicly accessible network of networks, commonly referredto as the Internet, and the private network 140 can be an organization'snetwork that is wholly or partially inaccessible from computing systemsexternal to the private network 140. Computing systems 145 b can be homecomputing systems or mobile computing devices that each connectsdirectly to the global internet 135 (e.g., via a telephone line, cablemodem, a Digital Subscriber Line (“DSL”), cellular network or otherwireless connection, etc.).

The example data center 100 includes a number of physical computingsystems 105 a-105 d and a Communication Manager module 150 that executeson one or more other computing systems. The example data center furtherincludes a System Manager module 110 that executes on one or morecomputing systems. In this example, each physical computing system 105a-105 d hosts multiple virtual machine computing nodes and includes anassociated virtual machine (“VM”) communication manager module (e.g., aspart of a virtual machine hypervisor monitor for the physical computingsystem). Such VM communications manager modules and VM computing nodesinclude VM Communication Manager module 109 a and virtual machines 107 aon host computing system 105 a, and VM Communication Manager module 109d and virtual machines 107 d on host computing system 105 d.

This illustrative data center 100 further includes multiple physicalnetworking devices, such as switches 115 a-115 b, edge router devices125 a-125 c, and core router devices 130 a-130 c. Switch 115 a is partof a physical sub-network that includes physical computing systems 105a-105 c, and is connected to edge router 125 a. Switch 115 b is part ofa distinct physical sub-network that includes the System Manager module110, and is connected to edge router 125 b. The physical sub-networksestablished by switches 115 a-115 b, in turn, are connected to eachother and other networks (e.g., the global internet 135) via anintermediate communication network 120, which includes the edge routers125 a-125 c and the core routers 130 a-130 c. The edge routers 125 a-125c provide gateways between two or more sub-networks or networks. Forexample, edge router 125 a provides a gateway between the physicalsub-network established by switch 115 a and the interconnection network120, while edge router 125 c provides a gateway between theinterconnection network 120 and global internet 135. The core routers130 a-130 c manage communications within the interconnection network120, such as by routing or otherwise forwarding packets or other datatransmissions as appropriate based on characteristics of such datatransmissions (e.g., header information including source and/ordestination addresses, protocol identifiers, etc.) and/or thecharacteristics of the interconnection network 120 itself (e.g., routesbased on the physical network topology, etc.).

The System Manager module 110 and Communication Manager module 109 canconfigure, authorize, and otherwise manage communications betweenassociated computing nodes, including providing logical networkingfunctionality for one or more virtual computer networks that areprovided using the computing nodes. For example, Communication Managermodule 109 a and 109 c manages associated virtual machine computingnodes 107 a and 107 c and each of the other Communication Managermodules can similarly manage communications for a group of one or moreother associated computing nodes. The Communication Manager modules canconfigure communications between computing nodes so as to overlay avirtual network over one or more intermediate physical networks that areused as a substrate network, such as over the interconnection network120.

Furthermore, a particular virtual network can optionally be extendedbeyond the data center 100, such as to one or more other data centers160 which can be at geographical locations distinct from the first datacenter 100. Such data centers or other geographical locations ofcomputing nodes can be inter-connected in various manners, including viaone or more public networks, via a private connection such as a director VPN connection, or the like. In addition, such data centers can eachinclude one or more other Communication Manager modules that managecommunications for computing systems at that data. In some embodiments,a central Communication Manager module can coordinate and managecommunications among multiple data centers.

Thus, as one illustrative example, one of the virtual machine computingnodes 107 a 1 on computing system 105 a can be part of the same virtuallocal computer network as one of the virtual machine computing nodes 107d 1 on computing system 105 d. The virtual machine 107 a 1 can thendirect an outgoing communication to the destination virtual machinecomputing node 107 d 1, such as by specifying a virtual network addressfor that destination virtual machine computing node. The CommunicationManager module 109 a receives the outgoing communication, and in atleast some embodiments determines whether to authorize the sending ofthe outgoing communication. By filtering unauthorized communications tocomputing nodes, network isolation and security of entities' virtualcomputer networks can be enhanced.

The Communication Manager module 109 a can determine the actual physicalnetwork location corresponding to the destination virtual networkaddress for the communication. For example, the Communication Managermodule 109 a can determine the actual destination network address bydynamically interacting with the System Manager module 110, or can havepreviously determined and stored that information. The CommunicationManager module 109 a then re-headers or otherwise modifies the outgoingcommunication so that it is directed to Communication Manager module 109d using an actual substrate network address.

When Communication Manager module 109 d receives the communication viathe interconnection network 120, it obtains the virtual destinationnetwork address for the communication (e.g., by extracting the virtualdestination network address from the communication), and determines towhich virtual machine computing nodes 107 d the communication isdirected. The Communication Manager module 109 d then re-headers orotherwise modifies the incoming communication so that it is directed tothe destination virtual machine computing node 107 d 1 using anappropriate virtual network address for the virtual computer network,such as by using the sending virtual machine computing node 107 a 1'svirtual network address as the source network address and by using thedestination virtual machine computing node 107 d 1's virtual networkaddress as the destination network address. The Communication Managermodule 109 d then forwards the modified communication to the destinationvirtual machine computing node 107 d 1. In at least some embodiments,before forwarding the incoming communication to the destination virtualmachine, the Communication Manager module 109 d can also performadditional steps related to security.

Further, the Communication Manager modules 109 a and/or 109 c on thehost computing systems 105 a and 105 c can perform additional actionsthat correspond to one or more logical specified router devices lyingbetween computing nodes 107 a 1 and 107 c 1 in the virtual networktopology. For example, the source computing node 107 a 1 can direct apacket to a logical router local to computing node 107 a 1 (e.g., byincluding a virtual hardware address for the logical router in thepacket header), with that first logical router being expected to forwardthe packet to the destination node 107 c 1 via the specified logicalnetwork topology. The source Communication Manager module 109 a receivesor intercepts the packet for the logical first router device and canemulate functionality of some or all of the logical router devices inthe network topology, such as by modifying a TTL (“time to live”) hopvalue for the communication, modifying a virtual destination hardwareaddress, and/or otherwise modify the communication header.Alternatively, some or all the emulation functionality can be performedby the destination Communication Manager module 109 c after it receivesthe packet.

By providing logical networking functionality, the ONM system providesvarious benefits. For example, because the various Communication Managermodules manage the overlay virtual network and can emulate thefunctionality of logical networking devices, in certain embodimentsspecified networking devices do not need to be physically implemented toprovide virtual computer networks, allowing greater flexibility in thedesign of virtual user networks. Additionally, correspondingmodifications to the interconnection network 120 or switches 115 a-115 bare generally not needed to support particular configured networktopologies. Nonetheless, a particular network topology for the virtualcomputer network can be transparently provided to the computing nodesand software programs of a virtual computer network.

Logical/Virtual Networking

FIG. 2 illustrates a more detailed implementation of the ONM system ofFIG. 1 supporting logical networking functionality. The ONM systemincludes more detailed embodiments of the ONM System Manager and ONMCommunication Manager of FIG. 1 . In FIG. 2 , computing node A issending a communication to computing node H, and the actions of thephysically implemented modules 210 and 260 and devices of network 250 inactually sending the communication are shown, as well as emulatedactions of the logical router devices 270 a and 270 b in logicallysending the communication.

In this example, computing nodes A 205 a and H 255 b are part of asingle virtual computer network for entity Z. However, computing nodescan be configured to be part of two distinct sub-networks of the virtualcomputer network and the logical router devices 270 a and 270 b separatethe computing nodes A and H in the virtual network topology. Forexample, logical router device J 270 a can be a local router device tocomputing node A and logical router device L 270 b can be a local routerdevice to computing node H.

In FIG. 2 , computing nodes A 205 a and H 255 b includes hardwareaddresses associated with those computing nodes for the virtual computernetwork, such as virtual hardware addresses that are assigned to thecomputing nodes by the System Manager module 290 and/or theCommunication Manager modules R 210 and S 260. In this example,computing node A has been assigned hardware address “00-05-02-0B-27-44,”and computing node H has been assigned hardware address“00-00-7D-A2-34-11.” In addition, the logical router devices J and Lhave also each been assigned hardware addresses, which in this exampleare “00-01-42-09-88-73” and “00-01-42-CD-11-01,” respectively, as wellas virtual network addresses, which in this example are “10.0.0.1” and“10.1.5.1,” respectively. The System Manager module 290 maintainsprovisioning information 292 that identifies where each computing nodeis actually located and to which entity and/or virtual computer networkthe computing node belongs.

In this illustrative example, computing node A 205 a first sends anaddress resolution protocol (ARP) message request 222-a for virtualhardware address information, where the message is expected to firstpass through a logical device J before being forwarded to computing nodeH. Accordingly, the ARP message request 222-a includes the virtualnetwork address for logical router J (e.g., “10.0.0.1”) and requests thecorresponding hardware address for logical router J.

Illustratively, the Communication Manager module R intercepts the ARPrequest 222-a, and obtains a hardware address to provide to computingnode A as part of spoofed ARP response message 222-b. The CommunicationManager module R can determine the hardware address by, for example,looking up various hardware address information in stored mappinginformation 212, which can cache information about previously receivedcommunications. Communication Manager module R can communicate 227 withthe System Manager module 290 to translate the virtual network addressfor logical router J.

The System Manager module 290 can maintain information 294 related tothe topology and/or components of virtual computer networks and providethat information to Communication Manager modules. The CommunicationManager module R can then store the received information as part ofmapping information 212 for future use. Communication Manager module Rthen provides computing node A with the hardware address correspondingto logical router J as part of response message 222-b. While request222-a and response message 222-b actually physically pass betweencomputing node A and Communication Manager module R, from the standpointof computing node A, its interactions occur with local router device J.

After receiving the response message 222-b, computing node A 205 acreates and initiates the sending of a communication 222-c to computingnode H 255 b. From the standpoint of computing node A, the sentcommunication will be handled as if logical router J 270 a werephysically implemented. For example, logical router J could modify theheader of the communication 265 a and forward the modified communication265 b to logical router L 270 a, which would similarly modify the headerof the communication 265 b and forward the modified communication 265 cto computing node H. However, communication 222-c is actuallyintercepted and handled by Communication Manager module R, whichmodifies the communication as appropriate, and forwards the modifiedcommunication over the interconnection network 250 to computing node Hby communication 232-3. Communication Manager module R and/orCommunication Manager module S may take further actions in this exampleto modify the communication from computing node A to computing node H orvice versa to provide logical networking functionality. For example,Communication Manager module S can provides computing node H with thehardware address corresponding to logical router L as part of responsemessage 247-e by looking up the hardware address in stored mappinginformation 262. In one embodiment, a communication manager or computingnode encapsulates a packet with another header or label where theadditional header specifies the route of the packet. Recipients of thepacket can then read the additional header and direct the packetaccordingly. A communication manager at the end of the route can removethe additional header.

A user or operator can specify various configuration information for avirtual computer network, such as various network topology informationand routing costs associated with the virtual 270 a, 270 b and/orsubstrate network 250. In turn, the ONM System Manager 290 can selectvarious computing nodes for the virtual computer network. In someembodiments, the selection of a computing node can be based at least inpart on a geographical and/or network location of the computing node,such as an absolute location or a relative location to a resource (e.g.,other computing nodes of the same virtual network, storage resources tobe used by the computing node, etc.). In addition, factors used whenselecting a computing node can include: constraints related tocapabilities of a computing node, such as resource-related criteria(e.g., an amount of memory, an amount of processor usage, an amount ofnetwork bandwidth, and/or an amount of disk space), and/or specializedcapabilities available only on a subset of available computing nodes;constraints related to costs, such as based on fees or operating costsassociated with use of particular computing nodes; or the like.

Route Selection on Substrate Network

FIG. 3 illustrates an example embodiment of a substrate network 300having a route manager 336 capable of determining routes for overlaynetworks. The substrate network 300 can be composed of one or moresubstrate components or nodes, such as computing nodes, routing nodes,communication links or the like. In FIG. 3 , the substrate network 300includes computing nodes A 302, B 304, C 306, and D 308, which arecapable of simulating various components of one or more associatedoverlay networks. The nodes can be located on the same data center or inmultiple data centers. Computing node A is interconnected to node B vianetwork W 310, node B is connected to node C by network X 312, node C isconnected to node D by network Y 314, and node D is connected to node Aby network Z 316. Networks W, X, Y, and Z can include one or morephysical networking devices, such as routers, switches, or the like, andcan include private or public connections. Components shown in FIG. 3 ,such as the computing nodes and communication manager modules, canimplement certain of the features of embodiments described above withrespect to FIGS. 1 and 2 .

In FIG. 3 , nodes A 302, B 304, C 306, and D 308 are associated with arespective Communication Manager module 320, 322, 324, and 326. Thecommunication manager modules can implement certain of the featuresdescribed in the Communication Manager 150, 210, 260 and VMCommunication manager 109 a, 109 b, 109 c, 109 d of FIGS. 1 and 2 . Forexample, the Communication Manager module 320 for node A can operate ona hypervisor monitor of the computing node and can direct thecommunication of one or more virtual computing nodes 330, 332, 334 ofnode A. The computing nodes, communication managers and Route Manager336 can be part of the same ONM system. In one embodiment, the computingnodes run the XEN operating system (OS) or similar virtualization OS,with the communication managers operating on domain 0 or the first OSinstance and the virtual computing nodes being domain U or additional OSinstances.

The communication manager modules in FIG. 3 are in communication with aRoute Manager module 336, operating on one or more computing devices,that directs routing for the substrate network 300. In one embodiment,the Route Manager operates as part of the ONM System Manager module 110,290 of FIGS. 1 and 2 , with functionally combined into a single module.The Route Manager can be located within a data center or at a regionallevel and direct traffic between data centers. In one embodiment,multiple Route Managers can operate in a distributed manner tocoordinate routing across multiple data centers.

In FIG. 3 , two virtual networks are associated with the substratenetwork 300. Virtual network 1 (VN1) has components 338, 340, 342,associated with virtual computing nodes on computing nodes A 302, B 304,and C 306. Virtual network 2 (VN2) has components 344, 346, 348associated with virtual computing nodes on nodes A, C, and D 308.

As the Routing Manager module 336 directs network traffic on thesubstrate network 300, traffic can be directed flexibly and variousnetwork configurations and network costs can be considered. For example,routing paths can be determined based on specified performance levelsfor the virtual networks. In one embodiment, if the user for VN1 isentitled to a higher service level, such as for faster speed (e.g. lowerlatency and/or higher bandwidth), traffic associated with VN1 can berouted on a “fast” path of the substrate network 300. For example, inone embodiment, traffic for “platinum” users is prioritized over trafficfor “gold” and “silver” users, with traffic from “gold” usersprioritized over “silver” users. In one embodiment, at least somepackets of the user with the higher service level are prioritized overpackets of a user with a lower service level, for example, during timesof network congestion. The user may be entitled to a higher levelbecause the user has purchased the higher service level or earned thehigher service level through good behavior, such as by paying bills,complying with the operator's policies and rules, not overusing thenetwork, combinations of the same, or the like.

The Route Manager 336 can store user information or communicate with adata store containing user information in order to determine the targetperformance level for a virtual network. The data store can beimplemented using databases, flat files, or any other type of computerstorage architecture and can include user network configuration, paymentdata, user history, service levels, and/or the like. Typically, theRoute Manager will have access to node and/or link characteristics forthe substrate nodes and substrate links collected using various networkmonitoring technologies or routing protocols. The Route Manager can thenselect routes that correspond to a selected performance level for thevirtual network and send these routes to the computing nodes. Forexample, network W 310 and Y 312 can be built on fiber optic lines whilenetwork Y 314 and Z 316 are built on regular copper wire. The RouteManager can receive network metrics data and determine that the opticallines are faster than the copper wires (or an administrator candesignate the optical lines as a faster path). Thus, the Route Manager,in generating a route between node A 302 and node C 306 for “fast” VN1traffic, would select a path going through network W and Y (e.g., pathA-B-C).

In another situation, where the user for VN2 is not entitled to a higherservice level, VN2 traffic from node A 302 to node B 306 can be assignedto a “slow” or default path through network Y 314 and Z 316 (e.g. pathA-D-C). In order to track routing assignments, the Routing Manager canmaintain the routes and/or route association in a data store, such as aRouting Information Base (RIB) or routing table 350. The Route Managercan also track the target performance criteria 351 associated with aparticular virtual network.

In order to direct network traffic on the substrate network 300, theRouting Manager 336 can create forwarding entries for one or more of theCommunication Manager modules 320, 322, 324, 326 that direct how networktraffic is routed by the Communication Manager. The CommunicationManager modules can store those entries in forwarding tables 352, 354,356, or other similar data structure, associated with a CommunicationManager. For example, for VN1, the Route Manager can generate a controlsignal or message, such as a forwarding entry 358, that directs VN1traffic received or generated on node A 302 through network W 310 (onpath A-B-C). Meanwhile, for VN2, the Route Manager can generate acontrol signal or message, such as a forwarding entry 360, which directstraffic received on node A through network Z. The Route Manager can sendthese forwarding entries to the node A Communication Manager 320, whichcan store them on its forwarding table 352. Thus, network trafficassociated with VN1 and VN2, destined for node C 306 received orgenerated on node A can travel by either path A-B-C or path A-D-C basedon the designated performance level for VN1 and VN2.

While the example of FIG. 3 depicts only two virtual networks, the RouteManager 336 can similarly generate and maintain routes for any number ofvirtual networks. Likewise, the substrate network 300 can include anynumber of computing nodes and/or physical network devices. Routes can bedetermined based on multiple performance criteria, such as networkbandwidth, network security, network latency, and network reliability.For example, traffic for a virtual network suspected of being used forspamming (e.g. mass advertisement emailing) can be routed throughnetwork filters and scanners in order to reduce spam.

FIGS. 4A and 4B illustrate a virtual network 401 and correspondingsubstrate network 402 where substrate routing is independentlydetermined from virtual routing. FIG. 4A illustrates a virtual networkincluding several virtual network components. Virtual computing nodes I4404 and I5 406 are connected to a logical router 408. The logical routercan implement certain of the features described in the logical router270 a, 270 b of FIG. 2 . The logical router is connected to firewalls I1410 and I2 412. The logical router is configured to direct traffic fromI5 to I2 and I4 to I2, as would be the case if I2 were a backupfirewall. The forwarding table associated with logical router 409reflects this traffic configuration. I1 and I2 are connected to a secondrouter 414. The second router is connected to another virtual computingnode, I3 415. Thus, based on the topology and associated forwardingtable of the virtual network 401, traffic from I4 and I5 to I3 passedthrough I2.

FIG. 4B illustrates an example topology of the substrate network 402associated with the virtual network 401. The substrate network includescomputing node A 420, computing node B, and a Route Manager 424.Substrate nodes A and B are each associated with a Communication Manager426, 428. Node A is simulating the operation of virtual components I2,I3, and I5 while Node B is simulating the operation of virtualcomponents on I1 and I4 on their respective virtual machines. The RouteManager can then use information regarding the assignments of virtualcomponents to computing nodes to optimize or otherwise adjust routingtables for the substrate network. The Route Manager can receive suchinformation from the Communication Managers and/or the System Manager.For example, assuming I1 and I2 are identical virtual firewalls, theRoute Manager can determine that because I5 and I2 are located on thesame computing node, while I4 and I1 are located on the other node,virtual network traffic can be routed from I5 to I2 and from I4 to I1without leaving the respective computing node, thus reducing traffic onthe network. Such a configuration is reflected in the illustratedforwarding tables 430, 432 associated with the Communication Managers.Thus, routes on the substrate network can be determined independently ofvirtual network routes.

In some embodiments, the Route Manager 424 or System Manager canoptimize or otherwise improve network traffic using other techniques.For example, with reference to FIGS. 4A and 4B, another instance of I3can be operated on node B 422, in addition to the instance of I3 on nodeA. Thus, virtual network traffic from I5-I2-I3 and I4-I1-I3 can remainon the same computing node without having to send traffic betweencomputing nodes A and B. In one embodiment, substrate traffic can beoptimized or otherwise improved without having different forwardingentries on the substrate and the virtual network. For example, withreference to FIG. 4B, I4 can be moved from computing node B 422 to nodeA 420, thus allowing virtual traffic from I5 and I4 to I2 to remain onthe same computing node. In this way, a user monitoring traffic onlogical router 408 would see that traffic is flowing according theforwarding table in the router, that is, substrate routing istransparent to the user. Other techniques for optimizing traffic bychanging the association of virtual components with virtual machinesand/or duplicating components can also be used.

In some situations, it can be desired that substrate routes reflectroutes specified in the virtual table. For example, the virtual networkuser can wish to control how traffic is routed in the substrate network.However, rather than giving the user access to the substrate network,which could put other users at risk or otherwise compromise security, adata center operator can propagate network configuration or virtualnetwork characteristics specified by the user for the virtual network tothe substrate network. This propagated data can be used in generatingrouting paths in the substrate network, thus allowing the user to affectsubstrate routing without exposing the substrate layer to the user.

Route Selection on Overlay/Virtual Network

FIGS. 5A and 5B illustrate a virtual route selection propagated to thesubstrate network. FIG. 5A illustrates a virtual network topology wherelogical network 1 (LN1) 502 is connected to logical network 2 (LN2) 504and logical network 3 (LN3) 506 by a logical router 508. The currentpreferred routing path specified by the user is from LN1 to LN2.

A user may wish to specify a route for various reasons. For example,routing costs through LN2 can be cheaper than LN3, such as when LN2 andLN3 are in different locations with different ISPs and one ISP chargeslower rates than another. In another example, LN3 can be a backupvirtual network for LN2, and used only in some situations, such as forhandling overflow from LN2.

Referring back to FIG. 5A, the user can specify preferred routes throughthe virtual network and/or characteristics or costs associated with thevirtual components, such as monetary costs, packet loss rates,reliability rate, and/or other metrics. These characteristics can beassigned to the virtual components, such as the virtual computing nodes,node links, logical routers/switches, or the like. The Route Manager 510can then determine routing tables 512 and/or forwarding tables 514 forthe virtual network.

FIG. 5B illustrates an example of a substrate route that can correspondto the virtual route in FIG. 5A. In the figure, there are three datacenters 520, 522, 524 corresponding to the logical networks 502, 504,506 of FIG. 5A. In data center 1 (DC1), a computing node 526 isconnected to a network translation device A (NTD A) 528 and a networktranslation device B (NTD B) 530. The network translation devices areconnected to external networks C 532 and D 534, respectively.

The network translation devices can serve as a gateway or entry/exitpoint into the virtual network. In some embodiments, the networktranslation devices can translate between a first addressing protocoland a second addressing protocol. For example, if the virtual network isusing IPv6 and the external networks are using IPv4, the networktranslation devices can translate from one addressing protocol to theother for traffic in either direction. In one embodiment, users connectfrom their private networks to the data centers via a VPN or otherconnection to a network translation device, which translates and/orfilters the traffic between networks.

Referring back to FIG. 5B, network C 532 connects data center 2 522 toNTD A 528. Network D 534 connects data center 3 524 to NTD B 530. TheRoute Manager module 510 is in communication with data center 1 520,data center 2 522, and data center 3 524, particularly with theCommunication Manager for the computing node 526.

From information associated with the virtual network, the Route Manager510 can determine that the user wants to route traffic from LN1 to LN2.The Route Manager can then “favor” substrate routes associated with theLN1 to LN2 virtual path. For example, the Route Manager can specify alow routing cost (e.g. cost 1) for communications, such as data packets,travelling on Network C relative to Network D (e.g. cost 10) such thatduring route determination, routes through Network C are favored. In oneembodiment, the Route Manager can apply a coefficient to storedsubstrate costs in order to favor one route over another. In anotherexample, explicit routing paths can be set up corresponding to thevirtual route. The Route Manager can identify routes in its routingtable and communicate those routes with one or more CommunicationManagers.

Referring back to FIG. 5B, when the computing node 526 receives orgenerates a packet destined for LN2 or a network reachable from LN2, thecomputing node can be configured by the Route Manager to send packetsthrough NTD A 528 as it lies on the route including network C 532.

By propagating virtual network configuration data to the substrate, andusing that configuration data in substrate route calculation, amechanism is provided for a virtual network user to affect substraterouting. In some embodiments, the virtual configuration data can be usedin determining association of the virtual components with the substratecomponents. For example, components of the same virtual network can beassociated with the same substrate computing node or on computing nodesconnected to the same switch in order to minimize or otherwise improvesubstrate network traffic. Configuration data can also be provided theother way and, in some embodiments, the user and/or virtual network canbe provided with additional substrate information, such ascharacteristics of the underlying associated substrate components (e.g.,performance, costs) in order to make more informed routing decisions.

FIG. 6 illustrates an example substrate network wherein a networktranslation device determines routes into or out of a virtual network.In FIG. 6 , a communication, such as a data packet, leaves computingnode A, which is associated with a virtual network, through NTD B 604.The network translation device can include a Route Determination module605 for determining the packet route. NTD B is connected to network C606 and network D 608.

In FIG. 6 , the Route Manager 610 receives a network configuration ordetermines that route A-B-C is preferred or has a cheaper cost. TheRoute Manager can store the route in a routing table 612. The RouteManager can then send forwarding entries to the NTD B 604 that configureit to send traffic through network C 606. NTD B can contain multipleforwarding entries for multiple virtual networks, such that data for onevirtual network can be sent through network C, while another virtualnetwork sends data through network D. In some cases, network packetswith the same source and/or destination are sent by different networksbased on the associated virtual network.

In some embodiments, the substrate component may not have aCommunication Manager or a Route Determination module and other ways ofcoordinating routing can be used. For example, a substrate component,such as an ordinary router or a network translation device, can be setup multiply on separate paths. Using blacklists, network traffic for aparticular virtual network can be allowed on one path but blocked onothers. The Route Manager can send a control signal or message updatingthe blacklists to manage the data flow.

In other embodiments, substrate components can implement IP aliasing,where, for example, “fast” path packets use one set of IP addresses,while “slow” path packets use another set of IP addresses. When thesubstrate component receives the packet, it can determine which path touse based on the IP address. The Route Manager can send a control signalor message to assign IP addresses to the components based on the type oftraffic handled.

Other ways of differentiating how packets are handled by substratecomponents include: tagging of packets, such as by Multiprotocol LabelSwitching (MPLS); MAC stacking where a packet could have multiple MACaddresses, the first MAC address for a substrate component, such as aswitch, and a second MAC address for a next component either on the“fast” or the “slow” path; and using Network Address Translation (NAT)devices on both ends of a network in order to redirect traffic into thenetwork, such as by spoofing or altering an destination address for anincoming packing and/or altering an the source address of an outgoingpacket. In some embodiments, the Route Manager generates control signalsor messages for coordinating traffic on the substrate network for thevarious techniques described above.

Virtual Network Route Selection Process

FIG. 7A illustrates a flow diagram for a process 700 of propagatingvirtual routes to a substrate network usable in the example networksdescribed above. The virtual routes can be based on networkconfiguration data provided by a virtual network user, such as costs,component characteristics, preferred routes, and/or the like.

At block 705, the Route Manager module receives user configurationand/or network configuration data, such as, for example, policy basedrouting decisions made by the user. In some embodiments, a userinterface is provided, allowing a user to specify configuration data.The Route Manager can receive the configuration data from a data store,for example, if user configuration and/or network configuration data arestored on the data store after being received on the user interface orotherwise generated. In some embodiments, the configuration data caninclude explicit routing paths through the virtual network. In someembodiments, the configuration data can specify associated costs fortraversing components of the virtual network, such as links and/ornodes. These costs can be based on monetary costs, packet loss rates,reliability rate, and/or other metrics. These costs can be provided bythe user to configure the virtual network provided by the data centeroperator. However, costs and other network configuration data can comefrom the data center operator themselves in addition to or instead offrom the user. For example, the data center operator can use the virtualnetwork to provide feedback to the user on routing costs, such as byassociating monetary use costs for the substrate computing nodes and/orcomponents. In one example, the data center operator can specify a highcost for a high speed network link or high powered computing node sothat the virtual network user can take into account that cost inconfiguring the virtual network.

At block 710, the Route Manager module determines virtual network routesbased on the user configuration and/or network configuration data. Insome embodiments, routing protocols or the route determinationalgorithms of the routing protocols, such as BGP, OSPF, RIP, EIGRP, orthe like, can be used to determine virtual routes.

At block 715, the Route Manager determines one or more forwardingentries for substrate network components, such as computing nodes,network translation devices, or the like. As the Route Manager candetermine routing paths and propagate routing decisions to the substratecomponents, the Route Manager can coordinate routing within a datacenter and/or between multiple data centers.

At block 720, the Route Manager transmits the forwarding entries to thesubstrate components. At block 725, the substrate component receives theforwarding entries. The substrate network components can store theforwarding entries in FIB tables or similar structures. Generally, aCommunication Manager on the substrate component receives and processesthe forwarding entry and manages communications of the substratecomponent. However, as discussed above, network traffic can also becoordinated for substrate components without a Communication Managerusing instead, for example, a NAT device, or the like. In someembodiments, the Route Manager can send blacklist updates, managetagging of the packets, generate stacked MAC addresses, or the like.

At block 730, the substrate components route packets received orgenerated according to the stored forwarding entries. Generally, aCommunication Manager on the substrate component manages the packetrouting and refers to the forwarding entries to make forwardingdecisions.

Substrate Network Route Selection Process

FIG. 7B illustrates a flow-diagram for a process 750 for determiningsubstrate routing based on target performance characteristics of theassociated virtual network usable in the example networks describedabove. In some instances, the Route Manager can optionally generate avirtual routing table for the virtual network before determiningsubstrate routing. The virtual routing table can be used to determinevirtual routing paths, allowing optimization of network traffic byselective association of the virtual network components with substratecomputing nodes, such as by taking into account physical location andvirtual network traffic patterns. However, generation of the virtualrouting table is not necessary as the substrate routes can be determinedindependently of the virtual routes, as will be described below. Inaddition, user configuration and/or network configuration data providedby the user can be used to describe the virtual network, without needingto generate a virtual routing table.

At block 755, the Route Manager receives characteristics of thesubstrate nodes and/or node links. The Route Manager can receive thecharacteristics data from a data store. In some embodiments, a userinterface is provided, allowing a user to specify characteristics data.The characteristics can describe such things as monetary costs, networkbandwidth, network security, network latency, network reliability,and/or the like. These characteristics can be used in a cost functionfor determining substrate routing paths. This information can be kept bythe Route Manager or data source accessible by the Route Manager.

At block 760, the Route Manager receives a target network performancefor the virtual network. The target performance can be based on apurchased service level by the user, user history, security data, or thelike. For example, a service level purchased by a user can have minimumbandwidth, latency, or quality of service requirements. In anotherexample, a user can be a new customer with an unknown payment historysuch that the user is provisioned on a “slow” virtual network in orderto minimize incurred expenses in case the user fails to pay. In anotherexample, a user identified as carrying dangerous or prohibited traffic,such as viruses, spam, or the like, can be quarantined to particularsubstrate components. During quarantine, the virtual network componentscan be assigned to specialized substrate components with more robustsecurity features. For example, the substrate components can haveadditional monitoring functionally, such as a deep-packet scanningability, or have limited connectivity from the rest of the substratenetwork.

At block 765, the Route Manager determines substrate network routesbased on the target network performance and/or characteristics of thesubstrate nodes and/or links. In one embodiment, the Route Manager canuse the characteristic data in a cost function for determining routes.Which characteristic to use or what level of service to provide can bedetermined by the performance criteria or target performance. Forexample, for a “fast” route, the Route Manager can use bandwidth and/orlatency data for the substrate network to generate routes that minimizelatency, maximize available bandwidth, and/or otherwise improve networkperformance.

The Route Manager can re-determine routes as needed based on changes inthe network, the configuration data, and/or the performance level. Forexample, if a user has purchased N gigabits of “fast” routing but hasreached the limit, the Route Manager can generate new routes and shiftthe user to “slow” routing.

At block 770, the Route Manager transmits forwarding entries for one ormore routes to one or more nodes and/or network translation devices. Insome embodiments, the Route Manager determines forwarding entries forthe substrate components and sends those forwarding entries to thesubstrate components on the path. In some embodiments, the Route Managercan send blacklist updates, manage tagging of data packets, and/orgenerate stacked MAC addresses.

At block 775, the Route Manager can optionally update the virtualrouting table based on substrate network routes. By changing the virtualnetwork routing table based on the substrate routes, the virtual networkcan stay logically consistent with the behavior of the substratenetwork. Thus, users won't necessarily be confused by discrepancies inthe virtual routing.

Security Assessment Management within a Virtual Machine Network

With reference now to FIGS. 8-14 , various embodiments for themonitoring and management of virtual machine security assessments withinhosted virtual machine networks will be described. With reference toFIGS. 8 and 9 , a simplified block diagram of the substrate network 100of FIG. 1 will be described for purposes of illustrating the interactionbetween various components of the substrate network. However, oneskilled in the relevant art will appreciate that illustrativeinteraction and communications may include, or otherwise involve,additional components not illustrated in the illustrative drawingfigures.

With reference to FIG. 8 , the substrate network 100 includes a numberof physical computing systems 105 that host one or more virtual machineinstances 107. One skilled in the relevant art will appreciate that thenumber of virtual machine instances hosted on each physical computingsystem 105 can vary according to the computing device resourcesassociated with each individual physical computing system 105 and inaccordance with the management policies of the substrate network 100.The substrate network 100 also includes a virtual machine managercomponent, such as ONM system manager 110, for managing the allocationof virtual machine instances 107 on the various physical computingsystems 105. Although the virtual machine manager component isillustrated with regard to functionality implemented by a component ofthe substrate network 100, in an alternative embodiment, the virtualmachine manager component may be implemented as a stand alone componentof the substrate network, integrated into a single physical computingsystem 105 or distributed as functionality implemented among multiplephysical computing devices 105.

In communication with the ONM system manager 110 via the communicationnetwork 120 is a client computing device interface 802 for obtainingrequests from various client computing systems 145 via the externalcommunication network 135. The client computing device interface 802 canobtain various requests, such as requests for modifying or configuringsets of virtual machine instances 107, requests for virtual machinenetwork assessment configurations as well as other requests.Illustratively, the client computing device interface 802 can facilitateinteraction with client computing systems 145 via establishedApplication Protocol Interfaces (“APIs”) provide by the substratenetwork 100.

Also in communication with the ONM system manager 110 is one or morestorage nodes 804 for archiving or storing information associated withsecurity assessments or other execution of virtual machine instances107. The storage nodes 804 can correspond to various storage mediaincluding physical storage media associated specifically with thesubstrate network 100. Additionally, or alternatively, the storage nodes804 can correspond to various network based storage networks accessibleto the substrate network 100 via communication network 120.

With reference now to FIG. 9 , in one embodiment, the substrate network100, such as the simplified substrate network illustrated in FIG. 8 ,includes three physical computing systems 105A, 105B, 105C. Eachphysical computing system 105A-105C hosts a number of virtual machineinstances 107. Specifically, for purposes of illustration, at some pointin time, physical computing system 105A hosts virtual machine instances107A-107F. At the same point in time, physical computing system 105Bhosts virtual machine instances 107G-107J. Likewise, physical computingsystem 105 c hosts virtual machine instances 107K-107N.

In accordance with aspects of the present disclosure, the virtualmachine instances 107A-107N can be associated into various sets ofvirtual machine instances. For example, the sets of virtual machineinstances can be associated by affiliation to specific users or useraccounts, affiliation to organizations (e.g., a corporate network),specific software applications executed by the virtual machineinstances, specific operating systems executed by the virtual machineinstances, as well as any number of additional organizational criteria.As will be explained in greater detail below, a virtual machine manager,such as the ONM system manager 110 can manage the performance of virtualmachine network security assessments on sets of the virtual machineinstances 107A-107N in response to requests from various clientcomputing systems 145 or in response to the determination of an event,including the modification of virtual machine instances and theinstantiation of new virtual machine instances. Additionally, the ONMsystem manager 110 can implement various processing and data collectiontechniques in response to the determination of an event.

With reference now to FIG. 10 , an illustrative embodiment forconfiguring virtual machine network security assessments will bedescribed. The ONM system manager 110 begins by obtaining a virtualmachine network assessment configuration from the client computingsystems 145. Illustratively, the assessment configuration may correspondto security assessment configuration information including theidentification of, or configuration of, security assessment events,assessment extents, assessment types, or assessment timings, as well asany number of additional types of security assessment configurationinformation as discussed further with reference to FIG. 14 .Additionally, the assessment configuration can include the selection ofcriteria that will be utilized by the ONM system manager 110 to generateassessment events for a specified virtual machine network. One skilledin the relevant art will appreciate that the virtual machine assessmentconfiguration may be obtained from the client computing systems 145 viaa client computing device interface or other means described above withrespect to FIG. 8 .

The ONM system manager 110 can process the virtual machine networkassessment configuration to generate one or more assessment profiles. Inone embodiment, an assessment profile may contain information orexecutable code associating the assessment profile with a securityassessment event or describing one or more assessment preferences.

In one aspect, security assessment events may include eventscorresponding to activities associated with the execution of a virtualnetwork. In another aspect, security assessment events may includerequests for execution of specific virtual machine network activities.Specifically, for the purpose of example, activities associated withsecurity assessment events may include but are not limited to requestsfor or the execution of: specific network or virtual machine instancetransactions; changes in network activity or traffic to a set of virtualmachine instances or ports; opening or closing a network port; theaddition or removal of a set of virtual machine instances; changes inconfiguration of a set of virtual machine instances; the joining orleaving of a hardware device on the virtual machine network; the reboot,shut down, or power on of a virtual machine instance or physicalcomputing system; the installation or removal of a software package orapplication; requests for security assessments; the identification ordetermination of new internal or external security threats; themodification of a security posture value representing the likelihood ofsystem vulnerability or attack; and/or time defined activities, such asthe change of a timer value associated with the virtual machine networkgenerally or with a specific set of virtual machine instances. It willbe appreciated by one skilled in the relevant art that a securityassessment event may correspond to one or a combination of theseactivities. For example, a security assessment event may be defined as arequest for installation of a specific software package when a securityposture value representing the likelihood of system attack is over apredetermined threshold.

Assessment preferences may include various categories of configurationinformation, including but not limited to assessment timing information,assessment type information, and assessment extent information, as willbe explained in greater detail below with respect to FIG. 14 . Referringback to FIG. 10 , the ONM system manager 110 may cause the generatedassessment profiles to be stored in storage nodes 804 for future use.

FIGS. 11A and 11B illustrate example embodiments of virtual machinesecurity assessments within an illustrative hosted virtual machinenetwork. FIG. 11A illustrates a virtual machine network securityassessment across multiple sets of virtual machine instances 107A-107Nhosted on three physical computing systems 105A, 105B, 105C. For thepurpose of illustration, the ONM system manager 110 can monitor forsecurity assessment events, such as requests for execution of a virtualmachine network activity or activity associated with the execution of avirtual network activity. These security assessment events may beassociated with one or more assessment profiles as described above withrespect to FIG. 10 . Illustratively, the ONM system manager 110 mayrespond to a detected activity associated with a security assessmentevent by causing the performance of a virtual machine network securityassessment. Under some embodiments, the ONM system manager 110 may causethe performance of a security assessment or vulnerability scansubsequent or simultaneous to a virtual machine instance execution inorder to determine whether the execution has introduced or contributedto system vulnerabilities. Under other embodiments, the virtual machinemanager may delay execution of an activity or request for executionuntil after a security assessment is performed. Additionally, undervarious embodiments the ONM system manager 110 may prevent, delay, orreverse the execution of a virtual machine network activity or requestfor execution pending the results of a security assessment.

Referring back to FIG. 11A, the ONM system manager 110 begins byobtaining a virtual machine network activity request from the clientcomputing systems 145. The ONM system manager 110 can process thevirtual machine network activity request to determine whether itcorresponds to a security assessment event or can be classified as asecurity assessment event. In another embodiment, the ONM system manager110 can monitor the execution of the virtual machine instances foractivities that may rise to a detected security assessment event. In oneaspect, the determination of a security assessment event can beautomatic based on one or more stored assessment profiles associatedwith a virtual machine network. In another aspect, the determination ofa security assessment event may be dynamic in nature based on variouscriteria maintained by the ONM system manager 110. Illustratively, avirtual machine network may be associated with multiple assessmentprofiles corresponding to different security assessment events. Forexample, a detected activity or request may not correspond to a securityassessment event for one assessment profile, but may correspond to oneor more security assessment event for other assessment profilesassociated with the same virtual machine network. A security assessmentevent may additionally require manual verification or manual initiationfrom an administrator associated with the substrate network 100 or anadministrator associated the set of virtual machine instances at issue.In another embodiment, security assessments may be triggeredautomatically or on a continuous basis.

For purposes of illustration, assume that the virtual machine networkactivity request obtained by the ONM system manager 110 corresponds to asecurity assessment event. Accordingly, the ONM system manager 110 canprocess the activity request to determine the corresponding securityassessment event as described above. The ONM system manager 110 maydetermine assessment preferences associated with the determined securityassessment events based on assessment profiles or other criteriamaintained by the ONM system manager 110. In some embodiments, the ONMsystem manager 110 can optionally determine whether the virtual machinenetwork activity corresponding to the activity request should beexecuted before or after a security assessment has been run.

Referring back to FIG. 11A, for purposes of illustration, assume thatthe virtual machine network activity request corresponds to execution ofone or more instances of the set of virtual machine instances 107A-107F.Accordingly, the ONM system manager 110 can cause the execution of oneor more instances of the set of virtual machine instances 107A-107F. TheONM system manager 110 may then cause the performance of a securityassessment on a set of virtual machine instances 107A-107N hosted onphysical computing systems 105A, 105B, 105C.

As previously described, the timing, extent, and type of the securityassessment may illustratively be based on assessment preferencesassociated with one or more assessment profiles, or may be dynamicallydetermined based on based on various criteria maintained by the ONMsystem manager 110. As illustrated in FIG. 11A, for purposes of example,the ONM system manager 110 causes a security assessment on all virtualmachine instances within the virtual machine network as a safeguardmeasure in parallel with the requested or detected network activity. Inan alternate aspect, the ONM system manager may cause a securityassessment only on specific sets of virtual machine instances within thevirtual machine network. One skilled in the relevant art willadditionally appreciate that the set of assessed virtual machineinstances may be hosted by one or more physical computing systems 105.The timing of the instantiation of the security assessment maycorrespond to the type of assessment or type of activity that isrequested or detected. Accordingly, the timing of the securityassessment can occur in parallel or asynchronously from the addition ofthe network component. One skilled in the relevant art will appreciate,however, that the components targeted by a security assessment, the typeof assessment performed, and the timing of the security assessment canbe separately configured.

FIG. 11B illustrates a targeted virtual machine network securityassessment across a set of virtual machine instances 107A-107N hosted ona physical computing system 105A. As previously described, the ONMsystem manager 110 can process the virtual machine network activityrequest to determine whether the activity corresponds to one or moresecurity assessment events. In another embodiment, the ONM systemmanager 110 can monitor the execution of the virtual machine instancesfor activities that may rise to one or more security assessment events.For purposes of illustration, assume that the virtual machine networkactivity request obtained by the ONM system manager 110 corresponds to asecurity assessment event. Accordingly, the ONM system manager 110 canprocess the activity request to determine the corresponding securityassessment event as described above with reference to FIG. 11A.

The ONM system manager 110 may obtain assessment profiles or assessmentpreferences associated with the determined security assessment event. Aspreviously described, the ONM system manager 110 can determine whetherthe virtual machine network activity corresponding to the activityrequest should be executed before or after a security assessment hasbeen performed or otherwise such that the activity request issynchronous with the completion of the security assessment. For purposesof illustration, in the example interaction of FIG. 11B, assume that theONM system manager 110 determines that a security assessment should beperformed before execution of the virtual machine network activitycorresponding to the activity request. Additionally, assume that theassessment preferences of the relevant assessment profile indicate thatthe ONM system manager 110 should cause a targeted security assessmenton a set of virtual machine instances 107A-107F. As illustrated, the ONMsystem manager 110 conducts the targeted security assessment prior tocausing the execution of the virtual machine network activitycorresponding to the network request. In another embodiment, the ONMsystem manager 110 can further determine whether to cause execution ofthe virtual machine network activity based on feedback regarding theresults of the security assessment. For the purposes of illustration,this determination can be based on various security criteria includingthe success of a particular set of tests performed as part of thesecurity assessment, whether the security assessment uncovers a certainnumber or combination of virtual machine network vulnerabilities, asecurity threat level value based on an assessment of potential threatsand vulnerabilities, whether an aggregate security value based on theresults of the security assessment crosses a threshold value, amongothers. As previously discussed, although FIG. 11B illustrates atargeted security assessment that occurs prior to executing theactivity, one skilled in the relevant art will appreciate that thecomponents targeted by a security assessment, the type of assessmentperformed, and the timing of the security assessment can be separatelyconfigured.

In still another embodiment, the ONM system manager 110 can cause theinstantiation of a new set of virtual machine instances in order toperform one or more security assessments without affecting the state orperformance of an extant virtual machine network (not shown). For thepurpose of illustration, this new set of virtual machine instances maybe configured with unique settings, or may be instantiated with settingsand state corresponding to an existing set of virtual machine instances.The ONM system manager 110 can cause the execution of the new set ofvirtual machine instances and cause the performance of a securityassessment on this new set of virtual machine instances to test forpossible vulnerabilities. In one aspect, for the purpose of example, theONM system manager 110 may cause performance of a security assessment onthe new set of virtual machine instances before or after determiningwhether to cause the execution of a corresponding set of existingvirtual machine instances. In another aspect, the ONM system manager mayremove or delete one or more members of a new or existing set of virtualmachine instances from the virtual machine network based on the resultsof the security assessment. These determinations may be based on varioussecurity criteria as described above.

In yet another embodiment, the ONM system manager 110 can identify andisolate a set of virtual machine instances before execution of the setof virtual machine instances. Specifically, for the purpose of example,isolation may include preventing contact or limiting access between anyvirtual machine instance associated with the identified set of virtualmachine instances and other virtual machine instances or communicationnetworks. The ONM system manager 110 may cause the performance of asecurity assessment on the isolated set of virtual machine instances totest for possible vulnerabilities before determining whether to restorethe set of virtual machine instances. This determination may be based onvarious security criteria as described above.

With reference now to FIG. 12 , a flow diagram illustrative of a virtualmachine network security assessment configuration routine 1200 executedby a virtual machine manager, such as ONM system manager 110 of FIG. 10, will be described. Illustratively, routine 1200 can be implementedupon determination of a virtual machine network configuration event, orupon receipt of a configuration request from the client computingsystems. At block 1204, the ONM system manager 110 obtains an assessmentconfiguration. This assessment configuration may be dynamicallygenerated in response to a virtual machine network configuration event,or may be obtained from an assessment configuration request.Illustratively, the assessment configuration may correspond to one ormore security assessment events and assessment preferences includingassessment extents, assessment types, assessment timings, as well as anynumber of additional types of security assessment configurationinformation as discussed below with reference to FIG. 14 .

At block 1208, the ONM system manager 110 obtains an assessment profile.In one aspect, the ONM system manager 110 may obtain an existingassessment profile to update with the configuration information.Illustratively, this existing assessment profile may be obtained from avariety of sources such as storage nodes 804 of FIG. 10 , the memory ofthe ONM system manager 110, or any other type of storage device or cachesource. In another aspect, the ONM system manager 110 may generate a newassessment profile. As discussed above with reference to FIG. 10 , anillustrative assessment profile may contain information or executablecode associating the assessment profile with a security assessment eventor describing one or more assessment preferences. At block 1212, the ONMsystem manager 110 applies the assessment configuration to theassessment profile. Illustratively, applying an assessment configurationto an assessment profile may include modifying one or more values orassociations of the assessment profile to reflect configurationinformation included in the assessment configuration. This may includevarious modifications to the assessment profile such as associating anassessment profile with a new security assessment event, or changing anassessment profile's assessment preference information, among a varietyof others. At block 1216, the ONM system manager 110 transmits theassessment profile to storage nodes 804. It will be appreciated by oneskilled in the relevant art that storage nodes 804 may correspond to oneor more physical or logical storage devices, and that one or more copiesof an assessment profile may be stored. The virtual machine networksecurity assessment configuration routine ends at block 1220.

With reference now to FIG. 13 , a flow diagram illustrative of a virtualmachine network security assessment routine 1300 executed by a virtualmachine manager, such as ONM system manager 110 of FIG. 10 , will bedescribed. The routine 1300 may begin at block 1302 with a request forexecution of a virtual machine network activity. Illustratively, thisrequest may be generated from a client computing system or other source.At block 1304 the ONM system manager 110 may determine a securityassessment event based on the virtual machine activity request. Inanother embodiment, the ONM system manager 110 may determine a securityassessment event based on a detected activity associated with theexecution of the virtual machine network.

At block 1306 the ONM system manager 110 may identify one or moreassessment profiles. Illustratively, the assessment profiles may beobtained from a variety of sources as described above with reference toFIG. 12 , and identified based on their association with the determinedsecurity assessment event. At block 1308 the ONM system manager 110 maydetermine assessment preferences for the security assessment event.Illustratively, these assessment preferences may be dynamicallydetermined by the ONM system manager 110 or associated with anassessment profile. Assessment preferences may correspond to assessmenttypes, assessment extents, and assessment timings as discussed belowwith reference to FIG. 14 , as well as any number of additional kinds ofsecurity assessment configuration information. In one embodiment, theONM system manager 110 may be configured to dynamically determineassessment preferences based on obtained external information concerningsecurity vulnerabilities. For the purposes of illustration, the ONMsystem manager 110 may obtain information on threats or traffic patternslocal or external to the virtual machine network, or may base itsdetermination on security information provided by third parties.

Returning to FIG. 13 , at block 1310, the ONM system manager 110determines whether the virtual machine network activity associated withthe request should be executed before or after the performance of asecurity assessment. Illustratively, this determination may be based onassessment preferences such as assessment timing, or on other criteriamaintained by the ONM system manager 110. The timing of theinstantiation of the security assessment may correspond to the type ofassessment or type of activity that is requested or detected. Forexample, an assessment profile may indicate that the addition of a newnetwork component to the virtual machine network would trigger asecurity assessment for all of the components associated with thevirtual machine network as a safeguard measure. Accordingly, the timingof the security assessment can occur in parallel or asynchronously fromthe addition of the network component.

If the ONM system manager 110 determines that the security assessmentshould be performed before the execution of the requested activity, theroutine 1300 proceeds to block 1314 and the ONM system manager 110causes the performance of a security assessment. Illustratively, thissecurity assessment may be performed by a number of components of thevirtual machine network, including but not limited to the ONM systemmanager 110, other systems of the virtual machine network, or anycombination of third-party hardware or software. For the purposes ofillustration, security assessment procedures may include procedures forperforming security assessments, such as vulnerability scans, on any ofvarious types of virtual network assets such as physical computingsystems and devices, virtual machine instances, and virtual machinenetwork configurations, among others. Specifically, for purposes ofexample, security assessment procedures may include procedures such ascomputer virus scans, tests against known exploits, software bugdetection, input and validation checking, load testing, and theidentification of flaws in hardware or software design orimplementation, password handling, or privilege management, among avariety of others.

In one aspect, assessment procedures may have no effect on the set ofvirtual machine instances being scanned or assessed. In an alternateaspect, assessment procedures may change or destructively affect theinternal configuration, data, or state of the set of virtual machineinstances being scanned or assessed. For example, an assessment type mayspecify a thorough test of known exploits against a virtual machineinstance that may modify or destroy some of the internal data of thevirtual machine instance.

In another embodiment, the ONM system manager 110 may be configured tostore the results of a security assessment along with a record of theassociated security assessment event. The ONM system manager 110 maythen subsequently obtain the stored results of a previous securityassessment associated with a security assessment event rather than causethe performance of a new security assessment. Illustratively, thestorage of security assessment results may allow the ONM system manager110 to quickly and efficiently obtain assessment results in situationswhere a similar or identical assessment has previously been performed.Specifically, in an illustrative embodiment, the ONM system manager 110may store the results of a security assessment performed on a newlyinstantiated virtual machine instance along with the associated virtualmachine configuration or request to instantiate a new instance. Forpurposes of this example, the ONM system manager 110 may then obtain thestored results of the previous security assessment rather than cause theperformance of a new assessment when a later request to instantiate asimilar machine is detected.

Under one embodiment, the stored results of a security assessment may beassociated with an expiration time or date. Illustratively, ONM systemmanager 110 may discard expired stored security assessment results whena triggering security assessment event is detected and cause theperformance of a new security assessment to ensure that any storedresults are accurate and valid under current network conditions. It willbe appreciated that expiration times or dates may be associated with allor any subset of stored security assessment results. Expiration datesmay be consistent or may vary across any combination of securityassessment results, and may be determined dynamically or on the basis ofone or more preconfigured values. It will further be appreciated thatsecurity assessment results may be stored at storage nodes 804 in FIG.10 or any other combination of storage locations including at clientcomputing systems 145. Assessment results may be stored for all or anysubset of possible activities, requests, or security assessment events.In some embodiments, security assessment results may be associated withsecurity assessment events, or may be associated with one or moreproperties or configurations associated with a virtual network request.

At block 1316 the ONM system manager 110 determines whether the resultsof the security assessment are satisfactory. In one embodiment, thisdetermination may be based on various security criteria including thesuccess of a particular set of tests performed as part of the securityassessment, whether the security assessment identifies a certain numberor combination of virtual machine network vulnerabilities, a securitythreat level value based on an assessment of potential threats andvulnerabilities, whether an aggregate security value based on theresults of the assessment crosses a threshold value, among others. Ifthe assessment results are satisfactory, the ONM system manager 110proceeds to block 1312 and causes the execution of the requested virtualmachine network activity.

Returning to block 1310, if the ONM system manager 110 determines thatthe requested activity should be executed before the performance of thesecurity assessment, the routine proceeds to block 1312 and the ONMsystem manager 110 causes the execution of the requested virtual machinenetwork activity. At block 1314 the ONM system manager 110 causes theperformance of a security assessment. This security assessment may beperformed before, after, or simultaneous with the execution of therequested virtual machine network activity as described above withreference to FIG. 11A.

At block 1318 the ONM system manager 110 logs the assessment results.Illustratively these result logs may be stored at storage nodes 804 inFIG. 10 or any other combination of storage locations including atclient computing systems 145. In one embodiment, these logs may begenerated or updated dynamically to reflect the results of frequent orcontinuous security assessments. Optionally, the ONM system manager 110may generate an assessment notification event at block 1320. In oneembodiment, this assessment notification event may cause information tobe provided to a user, including result logs, notifications that useraction is required, or any other information based on the results of asecurity assessment.

The ONM system manager may additionally cause the user to be charged afee (not shown) for the provision of a log or notification. In oneembodiment, a security assessment may be performed automatically orcontinuously, but a user may be required to pay a fee in order to obtaina report of the results of the security assessment. In anotherembodiment, a user may be charged a fee on a per security assessmentbasis. Illustratively, this fee may vary based on a number of factors,including the extent, type, and timing of the security assessment, theuser's service contract, and other criteria associated with the user,virtual machine network, or security assessment. In still anotherembodiment, a virtual machine network host may pay or reward a user forreceiving regular security assessments. For example, users may be givena discount in the price of hosting if they submit to regular securityassessments to ensure the security of their virtual networkconfiguration.

In an additional embodiment, the ONM system manager may further take acorrective action based on the results of the security assessment (notshown). For purposes of illustration, this action may include any actionto notify, modify, correct, isolate, or reveal any aspect of the virtualmachine network based on the results of the security assessment. Theroutine ends at block 1322.

With reference now to FIG. 14 , an illustrative embodiment of a userinterface 1400 for defining an assessment configuration will bedescribed. The user interface 1400 may contain a network identifier 1402identifying the virtual machine network that the assessmentconfiguration is being defined for. The user interface 1400 mayadditionally include a notification address 1404 where usernotifications may be provided as described above with reference to FIG.13 . The user interface 1400 may further include a link 1406 to acurrent assessment profile detailing current security assessmentconfiguration information.

The user interface 1400 may further include an assessment event dropdown1408 or other means for selecting a security assessment event associatedwith the assessment configuration. Security assessment events may bedefined for any type of activity associated with the execution of thevirtual machine network or request for execution of a virtual machinenetwork activity, as described above with reference to FIG. 10

The user interface 1400 may further include an assessment type dropdown1410 or other means for selecting a security assessment type assessmentpreference associated with the assessment configuration. An assessmenttype may correspond to any number of security assessment procedures.Illustratively, these security assessment procedures may be implementedand designed by the host of the virtual machine network, a user of oneor more virtual machine instances within the virtual machine network, ora third party provider of assessment or scanning tools, among others.

In one embodiment, these security assessment procedures may includevulnerability scans or any procedure intended to potentially reveal oridentify a vulnerability or configuration state of a virtual machinenetwork asset, where a vulnerability may be understood as any weaknessin design, implementation, operation, or internal control. For thepurposes of illustration, security assessment procedures may includeprocedures for assessing any of various types of virtual network assetssuch as physical computing systems and devices, virtual machineinstances, and virtual machine network configurations, among others.Specifically, for purposes of example, security assessment proceduresmay include procedures such as computer virus scans, tests against knownexploits, software bug detection, input and validation checking, loadtesting, and the identification of flaws in hardware or software designor implementation, password handling, or privilege management, among avariety of others.

In one aspect, performance of a set of security assessment proceduresmay have no effect on the set of virtual machine instances beingassessed. In an alternate aspect, assessment procedures may change ordestructively affect the internal configuration, data, or state of theset of virtual machine instances being assessed. For example, anassessment type may specify a thorough test of known exploits against avirtual machine instance that may modify or destroy some of the internaldata of the virtual machine instance. Illustratively, these destructiveassessment procedures may allow for rigorous security assessments orvulnerability testing without affecting the configuration of the virtualmachine network when performed on sets of virtual machine instancesbeing removed from the virtual machine network, or on sets of virtualmachine instances specifically instantiated for testing purposes.

The user interface 1400 may further include an assessment extentdropdown 1412 or other means for selecting a security assessment extentassessment preference associated with the assessment configuration. Anassessment extent may specify any number of sets of virtual machineinstances or network assets to assess. In one embodiment, sets ofvirtual machine instances to assess may be predetermined by a user oradministrator. In another embodiment, sets of virtual machine instancesmay be determined dynamically based on criteria related to each of thesets of virtual machine instances. Illustratively, these criteria mayinclude any property of hardware, software, or activity associated withthe set of virtual machine instances. For example, these criteria mayinclude a hardware profile of the physical computing systems hosting oneor more virtual machine instances within the set of virtual machineinstances, a software profile of the set of virtual machine instances,an activity or volume of activity associated with the set of virtualmachine instances, or various other criteria. It will be appreciated byone skilled in the relevant art that an assessment extent may be definedto correspond to one or a combination of these criteria or predeterminedsets. For example, an assessment extent may include a firstpredetermined set of virtual machine instances along with a seconddynamically determined set of all virtual machine instances receivingmore than a specified average volume of network traffic and hosted on aphysical computing system with a particular brand of hardware networkinterface card.

It will further be appreciated by one skilled in the relevant art thatan assessment extent may include a currently operational set of virtualmachine instances, or may specify a new instantiation of a set ofvirtual machine instances. For example, a current set of virtual machineinstances may be duplicated for the purposes of testing, and theduplicates may be removed once testing is complete to avoid affectingthe state or data of the virtual machine network.

The user interface 1400 may further include an assessment timingdropdown 1412 or other means for selecting a security assessment timingassessment preference associated with the assessment configuration. Anassessment timing may specify when to cause the performance of asecurity assessment. For the purposes of illustration, an assessmenttiming may specify an absolute amount of time to wait or an order ofoperations relative to the execution of a particular event. For example,an assessment timing may specify that a security assessment is to beperformed before, after, or simultaneous to the execution of theactivity associated with the security assessment event. In oneembodiment, an assessment timing may additionally specify that theexecution of the activity associated with the security assessment eventis to be delayed, or is contingent on the results of the securityassessment.

The user interface 1400 may further include a notify on securityassessment failure check-box 1416 or other means for indicating arequest for a user notification as described above with reference toFIG. 13 . The user interface 1400 may additionally include an addconfiguration button 1418. For purposes of illustration, the addconfiguration button may cause the ONM system manager 110 to obtain avirtual machine network assessment configuration from the clientcomputing systems 145 as discussed above with reference to FIG. 10 .

It will be appreciated by one skilled in the relevant art that a networksystem manager can be configured to manage security assessments inresponse to any network activity, request, or event discussed in thedescription of the virtual machine network above, and further may beconfigured to respond to any of a variety of other network activities,requests, or events available to a network system manager under variousother configuration of virtual or programmatically controlled networks.It will be further appreciated by one skilled in the relevant art thatthe above embodiment and description of the invention in the context ofa virtual machine network is provided for purposes of illustration onlyand that in accordance with aspects of the present disclosure thecurrent invention can be implemented on any programmatically controllednetwork capable of providing network events to a network system manager.In some embodiments, for the purpose of example, the present inventioncan be implemented on any combination of hardware and software providingfor detection of requests, events, or activities associated with themodification or execution of network resources. In some aspects, thesenetwork requests, events, and activities may be available to serviceproviders, users or customers, or administrators of a virtual orprogrammatically controlled network. In other aspects these networkrequests, events, and activities may only be available or detectable bya service provider, and may not be available or detectable by a user orcustomer of the programmatically controlled network. In variousembodiments, aspects of hardware and software implementing thisinvention may be provided by a network service provider, a networkservice provider customer, or any third-party provider of computingdevices, software, or computing services.

It will be appreciated by those skilled in the art and others that allof the functions described in this disclosure may be embodied insoftware executed by one or more processors of the disclosed componentsand communications devices. The software may be persistently stored inany type of non-volatile storage.

Conditional language, such as, among others, “can,” “could,” “might,” or“may,” unless specifically stated otherwise, or otherwise understoodwithin the context as used, is generally intended to convey that certainembodiments include, while other embodiments do not include, certainfeatures, elements, and/or steps. Thus, such conditional language is notgenerally intended to imply that features, elements and/or steps are inany way required for one or more embodiments or that one or moreembodiments necessarily include logic for deciding, with or without userinput or prompting, whether these features, elements and/or steps areincluded or are to be performed in any particular embodiment.

Any process descriptions, elements, or blocks in the flow diagramsdescribed herein and/or depicted in the attached figures should beunderstood as potentially representing modules, segments, or portions ofcode which include one or more executable instructions for implementingspecific logical functions or steps in the process. Alternateimplementations are included within the scope of the embodimentsdescribed herein in which elements or functions may be deleted, executedout of order from that shown or discussed, including substantiallyconcurrently or in reverse order, depending on the functionalityinvolved, as would be understood by those skilled in the art. It willfurther be appreciated that the data and/or components described abovemay be stored on a computer-readable medium and loaded into memory ofthe computing device using a drive mechanism associated with a computerreadable storing the computer executable components such as a CD-ROM,DVD-ROM, or network interface further, the component and/or data can beincluded in a single device or distributed in any manner. Accordingly,general purpose computing devices may be configured to implement theprocesses, algorithms, and methodology of the present disclosure withthe processing and/or execution of the various data and/or componentsdescribed above.

It should be emphasized that many variations and modifications may bemade to the above-described embodiments, the elements of which are to beunderstood as being among other acceptable examples. All suchmodifications and variations are intended to be included herein withinthe scope of this disclosure and protected by the following claims.

What is claimed is:
 1. A computer implemented method for managing avirtual machine network comprising: detecting an execution activityassociated with execution of a virtual machine instance or a request forexecuting an execution activity on the virtual machine instance, whereinthe execution activity is related to execution on an alreadyfully-instantiated virtual machine instance; determining an executionsecurity assessment event from a plurality of execution securityassessment events based, at least in part, on the detected executionactivity or requested execution activity; and causing performance of asecurity assessment on the virtual machine instance based, at least inpart, on the determined execution security assessment event and based onat least one respective assessment preference, wherein causingperformance of the security assessment comprises causing performance ofthe security assessment at least one of before, after, or simultaneousto the execution activity associated with the execution securityassessment event.
 2. The method of claim 1, wherein the at least onerespective assessment preference includes at least one of a respectiveassessment timing, assessment type, or assessment extent.
 3. The methodof claim 1 further comprising causing instantiation of a set of virtualmachine instances in order to perform the security assessment.
 4. Themethod of claim 3, wherein the security assessment is performed on theset of virtual machine instances without affecting a state orperformance of the virtual machine network.
 5. The method of claim 1,wherein the causing performance of the security assessment includescausing performance of procedures corresponding to at least one ofcomputer virus scans, tests against known exploits, software bugdetection, input and validation checking, load testing, and theidentification of flaws in hardware or software design orimplementation, password handling, or privilege management.
 6. Themethod of claim 1 further comprising storing results of the securityassessment.
 7. The method of claim 1 further comprising determiningwhether results of the security assessment are satisfactory.
 8. Themethod of claim 7, wherein determining whether the results of thesecurity assessment are satisfactory is based on at least one of asuccess of a particular set of tests performed as part of the securityassessment, whether the security assessment identifies a certain numberor combination of virtual machine network vulnerabilities, a securitythreat level value based on an assessment of potential threats andvulnerabilities, or whether an aggregate security value based on theresults of the assessment crosses a threshold value.
 9. A systemcomprising: a data store configured to at least storecomputer-executable instructions; and a hardware processor incommunication with the data store, the hardware processor configured toexecute the computer-executable instructions to at least: determine anexecution security assessment event from a plurality of executionsecurity assessment events based, at least in part, on a detectedexecution activity or execution request for the execution activity,wherein the execution activity is related to execution on an alreadyinstantiated virtual machine instance; and cause performance of asecurity assessment on the virtual machine instance at least one ofbefore, after, or simultaneous to the execution activity associated withthe execution security assessment event based, at least in part, on thedetermined execution security assessment event and based on at least onerespective assessment preference.
 10. The system of claim 9, wherein thehardware processor is further configured to generate one or more resultsof the security assessment.
 11. The system of claim 10, wherein thehardware processor is further configured to cause at least onecorrective action based on the one or more results of the securityassessment.
 12. The system of claim 11, wherein the at least onecorrective action includes at least one action to notify, modify,correct, isolate, or reveal any aspect of a virtual machine network thatincludes the already instantiated virtual machine instance.
 13. Thesystem of claim 10, wherein the one or more results of the securityassessment are associated with respective expiration time or date. 14.The system of claim 9, wherein the hardware processor is furtherconfigured to charge a user a fee for causing performance of thesecurity assessment.
 15. The system of claim 14, wherein an amount ofthe fee is based on a type of the security assessment performed.
 16. Anon-transitory computer-readable medium storing computer executableinstructions that when executed by a processor perform operationscomprising: detecting an execution activity on a virtual machineinstance or a request for executing the execution activity on thevirtual machine instance, wherein the execution activity is related toexecution on a fully-instantiated virtual machine instance; determiningan execution security assessment event from a plurality of executionsecurity assessment events based, at least in part, on the detectedexecution activity or request; and causing performance of a securityassessment on the virtual machine instance based, at least in part, onthe determined execution security assessment event and based on at leastone respective assessment preference, wherein causing performance of thesecurity assessment comprises causing performance of the securityassessment at least one of before, after, or simultaneous to theexecution of the activity associated with the execution securityassessment event.
 17. The non-transitory computer-readable medium ofclaim 16, wherein the operations further comprise obtaining externalinformation concerning security vulnerabilities.
 18. The non-transitorycomputer-readable medium of claim 17, wherein the at least onerespective assessment preference is determined based, at least in part,on the external information concerning security vulnerabilities.
 19. Thenon-transitory computer-readable medium of claim 16, wherein theoperations further comprise rewarding a user for the performance of thesecurity assessment.